{"id":254452,"date":"2026-05-22T09:14:00","date_gmt":"2026-05-22T13:14:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/"},"modified":"2026-05-24T21:10:11","modified_gmt":"2026-05-25T01:10:11","slug":"drupal-critical-sql-injection-flaw-now-targeted-in-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/","title":{"rendered":"Drupal: Critical SQL injection flaw now targeted in attacks"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/\">Drupal: Critical SQL injection flaw now targeted in attacks<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-22 09:14:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p style=\"text-align:center\">\n<p>Drupal is warning that hackers are attempting to exploit a &#8220;highly critical&#8221; SQL injection vulnerability announced earlier this week.<\/p>\n<p>The content management system (CMS) project published a PSA on May 18, urging administrators to reserve time for core updates that addressed an issue that threat actors might start exploiting &#8220;within hours or days.&#8221;<\/p>\n<p>The flaw is now tracked as CVE-2026-9082 and was discovered by Google\/Mandiant researcher Michael Maturi. It affects Drupal\u2019s database abstraction API. It allows specially crafted requests to trigger arbitrary SQL injection on sites using PostgreSQL.<\/p>\n<p>SQL injection is a flaw in which attackers inject malicious SQL commands into database queries via user input fields or dialogs on websites, resulting in unauthorized access, modification, or deletion of database data.<\/p>\n<p>The flaw is exploitable without authentication and could result in remote code execution, privilege escalation, and information disclosure.<\/p>\n<p>In an update to the advisory on May 22, Drupal confirmed that exploitation attempts have been detected.<\/p>\n<p>\u201cThe risk score has been updated to reflect that exploit attempts are now being detected in the wild,\u201d reads the updated advisory.<\/p>\n<p>Drupal rated the vulnerability as \u201chighly critical,\u201d assigning it an internal score of 23 out of 25. However, NIST has rated it as \u201cmedium severity\u201d based on a CVSS v3 score of 6.5.<\/p>\n<h3>Impact and recommendations<\/h3>\n<p>CVE-2026-9082 impacts a broad range of Drupal versions, including:<\/p>\n<ul>\n<li>Drupal 8.9.x<\/li>\n<li>Drupal 10.4.x before 10.4.10<\/li>\n<li>Drupal 10.5.x before 10.5.10<\/li>\n<li>Drupal 10.6.x before 10.6.9<\/li>\n<li>Drupal 11.0.x \/ 11.1.x before 11.1.10<\/li>\n<li>Drupal 11.2.x before 11.2.12<\/li>\n<li>Drupal 11.3.x before 11.3.10<\/li>\n<\/ul>\n<p>Website owners and administrators are recommended to upgrade immediately to the latest version available for their branch.<\/p>\n<p>Those not using PostgreSQL are still advised to update, as the latest security updates also include fixes for upstream dependencies, including Symfony and&#8230;<br \/>\n<br \/><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Drupal: Critical SQL injection flaw now targeted in attacks https:\/\/www.bleepingcomputer.com\/news\/security\/drupal-critical-sql-injection-flaw-now-targeted-in-attacks\/ Publish Date: 2026-05-22 09:14:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":254453,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/05\/22\/drupal.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-254452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254452"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=254452"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254452\/revisions"}],"predecessor-version":[{"id":254454,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/254452\/revisions\/254454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/254453"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=254452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=254452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=254452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}